Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In order to solve the problem of low identity efficiency of the suspected subject determined by the existing network security, an embodiment of the present invention provides an information processing method, as shown in fig. 1, the method includes:
101. and acquiring the reporting information reported by different users.
The embodiment mainly refers to the situation of passing through the phishing, so that the acquisition of the reporting information reported by different users mainly refers to all information that the users are cheated through the phishing, and the specific reporting information includes related information involved in a fraud process, such as personal information of victims, the amount of cheating, the fraud mode and the like.
The report information of different users acquired by the report platform is acquired from the report information base, and the sources of the report information in the report information base include two categories: one is that the user reports directly through a reporting channel of a reporting platform, and the reporting platform directly stores reporting information in a reporting information base corresponding to the reporting platform; the other type is that the user directly finds the network security to report offline, then the network security records the reporting information and directly uploads the recorded reporting information to a reporting information base corresponding to a reporting platform.
102. And searching the same suspicion clue information in different reporting information.
When a suspected subject is in fraud, different methods may be used for fraud, such as direct use of phishing, use of other phishing websites with the same Internet Protocol (IP) address corresponding to the phishing websites, use of communication account numbers (mobile phone numbers, QQ numbers, and the like) to send suspected websites to users for fraud, and the like. However, each individual report information may not include suspicion cue information used in all fraud modes of the same suspicion subject, and the suspicion cue information refers to communication accounts, websites, mailboxes and the like involved in a fraud process, so that correlation analysis needs to be performed on report information of different users in order to obtain all correlated suspicion cue information of the same suspicion subject.
Moreover, different reporting information may include the same suspicion cue information, such as: the suspected clue information contained in the reporting information a is as follows: website a and mobile phone number a used in fraud; the suspected clue information contained in the report information B is: the website a and the mobile phone number B used in fraud can see that the websites used in fraud in the reporting information A and the reporting information B are the same. In general, suspected subjects corresponding to different reporting information including the same suspicion information are considered to be the same subject. Therefore, in order to obtain all relevant suspicion cue information of the same suspicion subject, different reporting information can be subjected to correlation analysis in a mode of searching the same suspicion cue information contained in different reporting information, and preparation is made for obtaining all the suspicion cue information of the same suspicion subject subsequently.
103. And associating the reporting information containing the same suspicion cue information to generate a suspicion information graph.
After the same suspicion cue information in different reporting information is searched, the different reporting information with the same suspicion cue information can be associated. The effect of associating different reporting information containing the same suspected lead information is described by a specific example: for the two pieces of reporting information a and B in step 102, since both contain the same website a, the two pieces of reporting information may be associated, that is, the mobile phone number a, the mobile phone number B, and the website a therein are used as different suspicion clue information of the same suspicion subject. If the suspected clue information contained in the other report information C is: the website C and the mobile phone number B can see that the reporting information B and the reporting information C contain the same mobile phone number B, so that the two pieces of reporting information can be associated, namely the mobile phone number B, the website a and the website C can be used as different suspicion clue information of the same suspicion subject. The suspicion subject associated with the report information A, B and the suspicion subject associated with the report information B, C all contain the same suspicion information, so that the two associated suspicion subjects are regarded as the same suspicion subject, and finally different suspicion cue information that the mobile phone number a, the mobile phone number b, the website a and the website c all belong to the same suspicion subject can be obtained.
The method comprises the steps of associating different reporting information containing the same suspicion cue information to obtain all suspicion cue information of the same suspicion subject, generating a suspicion information graph corresponding to all the suspicion cue information of the same suspicion subject, enabling the security officer to obtain all the suspicion cue information of the same suspicion subject, and further helping the security officer to investigate cases. Fig. 2 is a schematic diagram of a suspected information map of a suspected subject, where the suspected lead information corresponding to the suspected subject includes: whois mailbox, telephone number, QQ number, website 4 type. In actual applications, the types, the number and the contents of the suspicion cue information in the suspicion information graphs corresponding to different suspicion subjects are different, so that the corresponding generated suspicion information graphs are also different. Fig. 2 is a representation of a suspected information map, and may be other than the representation of the star structure as in fig. 2.
The information processing method provided by this embodiment can first obtain the reporting information reported by different users; secondly, searching the same suspicion clue information in the reporting information of different users; and finally, associating the reporting information containing the same suspicion cue information to generate a suspicion information graph, wherein the suspicion information graph is used for displaying all the suspicion cue information of the same suspicion subject. Compared with the prior art, the embodiment can associate the report information containing the same suspicion cue information in the report information of different users to obtain the suspicion information picture of the same suspicion subject, and all suspicion cue information related to the same suspicion subject in the report information of the users are contained in the suspicion information picture, so that the security personnel can obtain all the suspicion cue information of the same suspicion subject, and can determine the suspicion subject more quickly through all the suspicion cue information, thereby improving the handling efficiency.
Further, as a refinement and an extension of the method shown in fig. 1, another embodiment of the present invention further provides an information processing method. As shown in fig. 3, the method includes:
301. and acquiring the reporting information reported by different users.
The implementation of this step is the same as that of step 101 in fig. 1, and is not described here again.
302. And searching the same suspicion clue information in different reporting information.
The implementation of this step is the same as that of step 102 in fig. 1, and is not described here again.
303. And respectively associating the reporting information containing the same suspected clue information to obtain an associated reporting information set.
Since the same suspicion cue information is searched for all different reporting information, a plurality of suspicion cue information are obtained, for example, if the search result obtained in step 302 is: the 10 pieces of reporting information contain the same suspicion cue information mobile phone number a, the 20 pieces of reporting information contain the same suspicion cue information website b, the 5 pieces of reporting information contain the same suspicion cue information mobile phone number b, and the mobile phone number a, the website b and the mobile phone number b are the same suspicion cue information. In this step, the reporting information including the same suspicion cue information is associated, that is, all the same suspicion cue information to be found are collected together corresponding to all the reporting information, so as to obtain a plurality of associated reporting information sets.
304. And associating different associated report information sets corresponding to the same report information to generate a suspect information map.
Since the different associated report information sets obtained in step 303 may further include the same report information, and the associated report information sets including the same report information are also associated, it is further required to associate different associated report information sets including the same report information, and finally obtain a complete suspicion information map of the suspicion main body, the reason why the different associated report information sets including the same report information need to be associated is explained by specific examples, that the suspicion information included in report information a-E of a certain 5 users is that a includes a mobile phone number a and a website a, B includes a mobile phone number a and a website B, C includes a mobile phone number a and a QQ number C, D includes a website B and a QQ number D, E includes B and a website E, that analysis can obtain A, B, C that the same suspicion information included in three report information sets is a mobile phone number a, that the same suspicion information included in three mailboxes is identical suspicion information, that the same suspicion information included in a set is identical suspicion information, that the same suspicion information set is obtained by identifying that the same suspicion information included in a, B, a, B, and q is identical suspicion information included in a set, and a, q information included in three mailbox information sets of the same suspicion information set, and a, B, and q, which are identified as suspicion information included in a, and a are obtained by analyzing, and a, and Q < 2 < C, and Q < 2 < C, namely, and a < C, and a < 2 < C, which are associated suspicion information in the same suspicion information set, and a < C, which are associated suspicion information set, and a < C, which are associated suspicion information in three mailbox < C, which are associated suspicion information set, and a are related to the same suspicion information in three mailbox < 2 < C, and a, are related to the same suspicion information set, and a.
Further, the generated suspect information map is checked by the network security personnel, so that the network security personnel needs to check the suspect information map in a certain way. When checking the suspicion information graph, the specific network security personnel usually inputs one or more pieces of suspicion cue information and then displays the suspicion information graph of the suspicion main body corresponding to the suspicion cue information or the suspicion cue information, so that the network security personnel can quickly and comprehensively acquire all the suspicion cue information of a certain suspicion main body, and therefore the handling efficiency can be improved. In addition, enough evidence is provided for network security and case setting, for example, the fraud amount related to one phishing case cannot meet the case setting standard, but all suspicion clue information belonging to the same suspicion subject as the case can be checked through the suspicion information graph, and other cases corresponding to other suspicion clue information can be found, and the amount related to a plurality of cases can meet the case setting standard.
Further, on the basis of displaying the generated suspicion information map to the network security personnel, receiving an inquiry instruction, wherein the inquiry instruction is to select any suspicion clue information contained in the suspicion information map, and then searching reporting information corresponding to the selected suspicion clue information according to the inquiry instruction. The corresponding reporting information is searched for showing all contents of the reporting information corresponding to the suspected clue information, so that the network security can conveniently and directly obtain useful information, and the reporting information not only contains the suspected clue information, but also contains personal information of a victim or specific description about a case and the like, and the information is not shown in a suspected information graph. For example, if the security officer wants to obtain more detailed information about fraud execution of a corresponding suspected subject related to a certain suspicion information through the victim, the security officer can obtain a contact address of the victim through the report information and communicate with the contact address. And searching for first statistical information corresponding to different areas and/or different preset time periods and containing the suspicion clue information corresponding to the query instruction according to the query instruction. The first statistical information mainly refers to statistics of the number of cases related to certain suspected clue information in different areas or different preset time periods, statistics of the total amount of the corresponding cases, statistics of the number or proportion of damaged objects (male, female, company, individual, and the like) in the corresponding cases, and the like. Specific examples thereof are: counting the number of all cases reporting the information of the suspected clue in one day; respectively counting the total number of cases which report the suspect thread information in each province till the current time; reporting the male and female proportion of the victim corresponding to the suspicion clue information, and the like. Each case corresponds to one report message in the embodiment. It should be noted that the statistical information included in the first statistical information may be freely set according to the actual application requirements, including setting of the region, setting of the preset time period, setting of the type of the damaged object, and the like.
Furthermore, since the reporting information of the general user does not include the IP address corresponding to the fraud website, and the IP address is suspected clue information that may be used by the network security personnel in the case investigation process, after the suspected information map is generated, each website included in the suspected information map is used to obtain a corresponding IP address through a Domain Name System (DNS), and the IP address is added to the suspected information map, so that the suspected information map is more complete.
Further, as a refinement and an extension of the method shown in fig. 1 and fig. 3, another embodiment of the present invention further provides a method for processing information. As shown in fig. 4, the method includes:
401. and receiving the reporting information reported by different users.
The implementation of this step is the same as that of step 101 in fig. 1, and is not described here again.
402. And classifying the different reporting information to generate a reporting information association diagram.
The step of classifying the different reporting information means that the different reporting information is reclassified according to the types of the different suspicion clue information contained in the reporting information. The different types correspond to different query dimensions, and the query dimensions in the embodiment include a fraud region, a fraud amount, a fraud time, a fraud object, a fraud mode, an amount payment mode and the like. Fig. 5 is a schematic diagram of the generated report information association diagram, which includes six query dimensions of fraud region, fraud amount, fraud time, fraud object, fraud mode and amount payment mode. Wherein the fraud areas include nationwide provinces; the fraud amount is divided into various types of 500 yuan below, 500 yuan plus 1000 yuan above and 1000 yuan above; fraud times include various types, such as the current day and the previous week; the fraud modes comprise various types such as telephone fraud, website fraud and the like; the payment method of the amount comprises payment treasure payment, WeChat payment, Yibao payment and the like. It should be noted that, in actual application, the reported information may be classified according to other query dimensions according to different actual requirements, and in addition, the associated information graph in this embodiment is organized by using a star-shaped structure, and may also be organized by using structures in other forms in actual application. It should be noted that the ellipses in fig. 5 represent that there may be more types.
403. A query condition is received, the query condition including at least one query dimension.
Receiving a query condition based on the reported information correlation diagram, wherein the query condition comprises at least one query dimension involved in the step 402.
404. And inquiring second statistical information corresponding to all the reported information corresponding to the query condition.
And after receiving the query condition, querying second statistical information of all corresponding reported information according to the query dimension contained in the query condition. The second statistical information is statistical information of the report information corresponding to the query conditions on different query dimensions respectively. Specifically, the method comprises the following steps: if the query condition is 2015.1.2-2015.2.1 and the fraud amount is 500-1000 yuan two query dimensions, 100 pieces of reporting information are obtained corresponding to the two query dimensions, then the 100 pieces of reporting information are classified and counted according to different query dimensions, for example, the 100 pieces of reporting information are respectively distributed in which provinces and cities, how many pieces of each province and city are, the total fraud amount number related in each province and city, the number or proportion of victims and men or women in the reporting information, which types of fraud modes and the number of each type are related in the reporting information, which types of money payment modes in the reporting information and the number of each type are related, the number statistics of the 100 pieces of reporting information per day in the 2015.1.2-2015.2.1 time period, and the like. In addition, in the actual application process, for some cases with more categories, it is also possible to select to display only part of the corresponding data, for example, only the number of reports corresponding to the area where the number of reports exceeds 10, or only the number of reports corresponding to the first three areas where the number of reports is the largest, or only the total amount of money of the first three areas where the total amount of money is the largest for fraud amount, etc. for different areas.
Further, as an implementation of the foregoing embodiments, another embodiment of the embodiments of the present invention further provides an information processing apparatus, configured to implement the methods described in fig. 1, fig. 3, and fig. 4. As shown in fig. 6, the apparatus includes: an acquisition unit 601, a cue information lookup unit 602, and an information map generation unit 603.
An obtaining unit 601, configured to obtain reporting information reported by different users;
a thread information searching unit 602, configured to search for the same suspected thread information in different reporting information;
an information map generating unit 603 is configured to associate reporting information including the same suspicion cue information to generate a suspicion information map, where the suspicion information map is used to display all the suspicion cue information of the same suspicion subject.
Further, as shown in fig. 7, the information map generating unit 603 includes:
a first associating module 6031, configured to associate reporting information including the same suspected lead information respectively to obtain an associated reporting information set;
a second associating module 6032, configured to associate different sets of associated report information that include the same report information and correspond to each other, to generate a suspect information map.
Further, the suspected thread information in the thread information search unit 602 includes: communication account, website and mailbox.
Further, as shown in fig. 7, the apparatus further includes:
an instruction receiving unit 604, configured to receive a query instruction, where the query instruction is to select suspected hint information included in a suspected information graph;
a report information search unit 605 configured to search report information corresponding to the suspected lead information corresponding to the query instruction;
the statistical information searching unit 606 is configured to search for first statistical information corresponding to different areas and/or different preset time periods and including suspicion cue information corresponding to the query instruction.
Further, as shown in fig. 7, the apparatus further includes:
the analyzing unit 607 is configured to perform domain name analysis on the website included in the suspect information map to obtain a corresponding IP address;
an adding unit 608, configured to add the IP address to the map of suspect information.
Further, as shown in fig. 7, the apparatus further includes:
the association map generating unit 609 is configured to classify the reporting information reported by different users to generate a reporting information association map, where different types correspond to different query dimensions, and the query dimensions include a fraud area, a fraud amount, a fraud time, a fraud object, a fraud mode, and an amount payment mode.
Further, as shown in fig. 7, the apparatus further includes:
a condition receiving unit 610, configured to receive a query condition, where the query condition includes at least one query dimension;
the query unit 611 is configured to query second statistical information corresponding to all the report information corresponding to the query condition, where the second statistical information is statistical information of the corresponding report information in different query dimensions.
The information processing apparatus provided in this embodiment can first obtain the report information reported by different users; secondly, searching the same suspicion clue information in the reporting information of different users; and finally, associating the reporting information containing the same suspicion cue information to generate a suspicion information graph, wherein the suspicion information graph is used for displaying all the suspicion cue information of the same suspicion subject. Compared with the prior art, the embodiment can associate the report information containing the same suspicion cue information in the report information of different users to obtain the suspicion information picture of the same suspicion subject, and all suspicion cue information related to the same suspicion subject in the report information of the users are contained in the suspicion information picture, so that the security personnel can obtain all the suspicion cue information of the same suspicion subject, and can determine the suspicion subject more quickly through all the suspicion cue information, thereby improving the handling efficiency.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be appreciated that the relevant features of the method and apparatus described above are referred to one another. In addition, "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent merits of the embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components in the title of the invention, such as an information processing apparatus, according to an embodiment of the invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.